Systems Theoretic Process Analysis (STPA)

Systems Theoretic Process Analysis (STPA)

Tutorial

Dr. John Thomas

MIT

Systems approach to safety engineering (STAMP)

• Accidents are more than a chain of events, they involve complex dynamic processes.

• Treat accidents as a control problem, not a failure problem

• Prevent accidents by enforcing constraints on component behavior and interactions

• Captures more causes of accidents: – Component failure accidents – Unsafe interactions among components – Complex human, software behavior – Design errors – Flawed requirements

• esp. software-related accidents 2

STAMP Model

© Copyright John Thomas 2013

Controlled Process

Process

Model

Control

Actions Feedback

STAMP

• Controllers use a process model to determine control actions

• Accidents often occur when the process model is incorrect

• Four types of hazardous control actions: 1) Control commands required for safety

are not given 2) Unsafe ones are given 3) Potentially safe commands but given too

early, too late 4) Control action stops too soon or applied

too long

Controller

3

Explains software errors, human errors, component interaction accidents, components failures …


Example Safety Control Structure

STAMP and STPA

Accidents are caused by inadequate control

5

STAMP Model


STAMP and STPA


6

CAST Accident Analysis

How do we find inadequate control that caused the accident?

STAMP Model


STAMP and STPA


7

CAST Accident Analysis

How do we find inadequate control in a design?

STPA Hazard

Analysis

STAMP Model


Today’s Tutorials

• Basic STPA Tutorial 10:15am – 3pm, in 54-100

• CAST Tutorial 10:15am – 3pm, in 56-154

• Security Tutorial (STPA-Sec) 10:15am – noon, room 32-082 (Presentations 1:30-3pm)

• Experienced users meeting 10:15am – 3pm, room 56-114

STPA Hazard Analysis

STPA (System-Theoretic Process Analysis)

• Identify accidents and hazards

• Construct the control structure

• Step 1: Identify unsafe control actions

• Step 2: Identify causal factors and control flaws

10

Controlled process

Control Actions

Feedback

Controller

(Leveson, 2011)

STAMP Model

STPA Hazard Analysis


Can capture requirements flaws, software errors, human errors

Definitions

• Accident (Loss)

– An undesired or unplanned event that results in a loss, including loss of human life or human injury, property damage, environmental pollution, mission loss, etc.

• Hazard

– A system state or set of conditions that, together with a particular set of worst-case environment conditions, will lead to an accident (loss).

Definitions from Engineering a Safer World

Definitions • Accident (Loss)

– An undesired or unplanned event that results in a loss, including loss of human life or human injury, property damage, environmental pollution, mission loss, etc.

– May involve environmental factors outside our control

• Hazard

– A system state or set of conditions that, together with a particular set of worst-case environment conditions, will lead to an accident (loss).

– Something we can control in the design

Accident Hazard

Satellite becomes lost or unrecoverable

Satellite maneuvers out of orbit

People die from exposure to toxic chemicals

Toxic chemicals are released into the atmosphere

People die from radiation sickness

Nuclear power plant releases radioactive materials

People die from food poisoning Food products containing pathogens are sold


Identify Accident, Hazards, Safety Constraints

• System-level Accidents (Losses)

– ?

• System-level Hazards

– ?

• System-level Safety Constraints

– ?


Identify Accident, Hazards, Safety Constraints

• System-level Accident (Loss)

– Death, illness, or injury due to exposure to toxic chemicals.

• System-level Hazard

– Uncontrolled release of toxic chemicals

• System-level Safety Constraint

– Toxic chemicals must not be released

Additional hazards / constraints can be found in ESW p355 © Copyright John Thomas 2013

Control Structure Examples

Cyclotron

Proton Therapy Machine High-level Control Structure

Beam path and control elements


Gantry

Proton Therapy Machine High-level Control Structure

© Copyright John Thomas 2013 Antoine PhD Thesis, 2012

Proton Therapy Machine Control Structure

© Copyright John Thomas 2013 Antoine PhD Thesis, 2012

Adaptive Cruise Control

Image from: http://www.audi.com/etc/medialib/ngw/efficiency/video_assets/fallback_videos.Par.0002.Image.jpg

http://www.audi.com/etc/medialib/ngw/efficiency/video_assets/fallback_videos.Par.0002.Image.jpg

Qi Hommes

Chemical Plant

Image from: http://www.cbgnetwork.org/2608.html

http://www.cbgnetwork.org/2608.html

Chemical Plant

ESW p354

Image from: http://www.cbgnetwork.org/2608.html


http://www.cbgnetwork.org/2608.html

U.S. pharmaceutical safety control

structure

Image from: http://www.kleantreatmentcenter.com/wp-content/uploads/2012/07/vioxx.jpeg


http://www.kleantreatmentcenter.com/wp-content/uploads/2012/07/vioxx.jpeg



Ballistic Missile Defense System

Image from: http://www.mda.mil/global/images/system/aegis/FTM-21_Missile%201_Bulkhead%20Center14_BN4H0939.jpg

Safeware Corporation

http://www.mda.mil/global/images/system/aegis/FTM-21_Missile 1_Bulkhead Center14_BN4H0939.jpg








25

Controlled process

Control Actions

Feedback

Controller

(Leveson, 2012) © Copyright John Thomas 2013

STPA Step 1: Unsafe Control Actions (UCA)

Not providing causes hazard

Providing causes hazard

Incorrect Timing/ Order

Stopped Too Soon /

Applied too long

(Control Action)

Controlled process

Control Actions

Feedback

Controller


Step 1: Identify Unsafe Control Actions

Control Action

Process Model

Variable 1

Process Model

Variable 2

Process Model

Variable 3

Hazardous?

(a more rigorous approach)







28

Controlled process

Control Actions

Feedback

Controller


Controlled Process

Control

Algorithm

Control

Actions Feedback

System Theoretic Process Analysis

• Explain why and how UCAs may occur

• Control actions are based on:

• Process model

• Control algorithm

• Feedback

• Flaws?

Controller

29

Process

Model


STPA Step 2: Identify Control Flaws

30

Inadequate Control Algorithm

(Flaws in creation, process changes,

incorrect modification or adaptation)

Controller Process Model

(inconsistent, incomplete, or

incorrect)

Control input or external information wrong or missing

Actuator Inadequate operation

Inappropriate, ineffective, or

missing control action

Sensor Inadequate operation

Inadequate or missing feedback Feedback Delays

Component failures

Changes over time

Controlled Process

Unidentified or out-of-range disturbance

Controller

Process input missing or wrong Process output contributes to system hazard

Incorrect or no information provided

Measurement inaccuracies

Feedback delays

Delayed operation

Conflicting control actions

Missing or wrong communication with another controller

Controller

STPA Examples

31

ITP Exercise

a new in-trail procedure for trans-oceanic flights

32

STPA Exercise


• Draw the control structure – Identify major components and controllers

– Label the control/feedback arrows

• Identify Unsafe Control Actions (UCAs) – Control Table:

Not providing causes hazard, Providing causes hazard, Stopped too soon

– Create corresponding safety constraints

• Identify causal factors – Identify controller process models

– Analyze controller, control path, feedback path, process


Example System: Aviation

System-level Accident (Loss): ? © Copyright John Thomas 2013

Example System: Aviation

System-level Accident (Loss): Two aircraft collide © Copyright John Thomas 2013

System-level Accident (Loss): Two aircraft collide

System-level Hazard: ?


Hazard • Definition: A system state or set of conditions

that, together with a particular set of worst-case environmental conditions, will lead to an accident (loss).

• Something we can control

• Examples: Accident Hazard









System-level Accident (Loss): Aircraft crashes

System-level Hazard: Two aircraft violate minimum separation


Aviation Examples

• System-level Accident (loss)

– Two aircraft collide

– Aircraft crashes into terrain / ocean

• System-level Hazards

– Two aircraft violate minimum separation

– Aircraft enters unsafe atmospheric region

– Aircraft enters uncontrolled state

– Aircraft enters unsafe attitude

– Aircraft enters prohibited area

STPA Exercise





Not providing causes hazard, Providing causes hazard, Wrong timing, Stopped too soon





North Atlantic Tracks

STPA application: NextGen In-Trail Procedure (ITP) Current State

Proposed Change

• Pilots will have separation information

• Pilots decide when to request a passing maneuver

• Air Traffic Control approves/denies request

STPA Analysis

• High-level (simple) Control Structure

– Main components and controllers?

? ? ?


STPA Analysis


– Who controls who?

Flight Crew? Aircraft? Air Traffic

Controller?


STPA Analysis


– What commands are sent?

Aircraft

Flight Crew

Air Traffic Control

?

?

?

?


STPA Analysis


Aircraft

Flight Crew

Air Traffic Control

Issue clearance

to pass

Execute maneuver

Feedback?

Feedback?


STPA Analysis

• More complex control structure


FAA

Congress

ATC

Aircraft

Example High-level control structure

Pilots

Directives, funding

Regulations, procedures

Instructions

Execute maneuvers

Reports

Reports

Aircraft status, position, etc

Acknowledgement, requests


ATC Ground Controller

Updates and acknowledgements

Aircraft

Instructions

Aircraft

Other Ground Controllers

ATC Front Line Manager (FLM)

Company Dispatch

ATC Radio

ACARS Text Messages

Instructions Status Updates



Status

Query


Aircraft Aircraft

Pilots Pilots Pilots Pilots Execute

maneuvers Execute

maneuvers Execute

maneuvers Execute

maneuvers

Air Traffic Control (ATC)


STPA Exercise










Identify Unsafe Control Actions

Flight Crew Action (Role)


Providing Causes hazard


Stopped Too Soon

Execute Passing

Maneuver

Pilots perform ITP when ITP

criteria are not met or request

has been refused

ATC

Pilots

Instructions

Execute maneuvers Aircraft status, position, etc

Acknowledgement, requests

Aircraft

Structure of a Hazardous Control Action

Four parts of a hazardous control action – Source Controller: the controller that can provide the control action – Type: whether the control action was provided or not provided – Control Action: the controller’s command that was provided /

missing – Context: conditions for the hazard to occur

• (system or environmental state in which command is provided)

52

Source Controller

Example: “Pilots provide ITP maneuver when ITP criteria not met”

Type

Control Action Context


Defining Safety Constraints

Unsafe Control Action Safety Constraint

Pilot does not execute maneuver once it is approved

Pilot must execute maneuver once it is approved

Pilot performs ITP when ITP criteria are not met or request has been refused

Pilot must not perform ITP when criteria are not met or request has been refused

Pilot starts maneuver late after having re-verified ITP criteria

Pilot must start maneuver within X minutes of re-verifying ITP criteria


STPA Exercise










STPA Analysis: Causal Factors

Process Model

UCA: Pilots perform ITP when ITP criteria are not met

• How could this action be caused by: – Process model

– Feedback

– Sensors

– Etc?

• Also consider control action not followed Controlled

Process


Hint: Causal Factors

STPA Analysis: Causal Factors


Traffic Collision Avoidance System (TCAS)


• Monitors airspace around aircraft

• Can provide advisories to warn pilot of potential collision

• System-level Accidents?

• System-level Hazards?

TCAS

Instructions Instructions

ATC

Instructions

TCAS

Instructions


Accident • Definition: An undesired or unplanned event that

results in a loss, including loss of human life or human injury, property damage, environmental pollution, mission loss, etc.

• May involve environmental factors outside our control

• Examples:

Accident Hazard










• Aircraft Accident: Two or more aircraft collide

• Aircraft Hazard: Near Mid Air Collision (NMAC)

• TCAS Hazard: TCAS causes or does not prevent NMAC



• Monitors airspace around aircraft

• Can provide advisories to warn pilot of potential collision

Create control structure


Traffic Collision Avoidance System (TCAS) Example Control Structure:

FAA

Local ATC Ops Mgmt.

Air Traffic Control

TCAS

Pilot Pilot

A/C A/C

Radar

Flight Data

Processor

TCAS







64

Controlled process

Control Actions

Feedback

Controller


TCAS


Providing causes hazard


Stopped Too Soon / Applied too long

Resolution Advisory (RA)

TCAS does not provide an RA when collision imminent

Identify Unsafe Control Actions

Example Control Structure FAA

Local ATC Ops Mgmt.

Air Traffic Control

TCAS

Pilot Pilot

A/C A/C

Radar

Flight Data

Processor

TCAS


Structure of a Hazardous Control Action

Four parts of a hazardous control action – Source Controller: the controller that can provide the control action – Type: whether the control action was provided or not provided – Control Action: the controller’s command that was provided /

missing – Context: conditions for the hazard to occur

• (system or environmental state in which command is provided)

66

Source Controller (SC)

Example: “TCAS does not provide RA when collision imminent”

Type (T)

Control Action (CA) Context (Co)







67

Controlled process

Control Actions

Feedback

Controller


TCAS

Identify Causal Factors

UCA1: TCAS does not provide an RA when collision imminent SC1: TCAS must always provide necessary RA to prevent imminent NMAC (<25 sec to collision)

• What might violate this safety constraint? • Process model flaws? • Control algorithm

flaws? • Poor feedback? • Component failures?

Control Structure

FAA

Local ATC Ops Mgmt.

Air Traffic Control

TCAS

Pilot Pilot

A/C A/C

Radar

Flight Data

Processor

TCAS


STPA Step 2: Identify Control Flaws

69

Inadequate Control Algorithm

(Flaws in creation, process changes,

incorrect modification or adaptation)

Controller Process Model

(inconsistent, incomplete, or

incorrect)

Control input or external information wrong or missing

Actuator Inadequate operation

Inappropriate, ineffective, or

missing control action

Sensor Inadequate operation

Inadequate or missing feedback Feedback Delays

Component failures

Changes over time

Controlled Process

Unidentified or out-of-range disturbance

Controller

Process input missing or wrong Process output contributes to system hazard

Incorrect or no information provided

Measurement inaccuracies

Feedback delays

Delayed operation

Conflicting control actions

Missing or wrong communication with another controller

Controller


UCA1: TCAS does not provide an RA when collision imminent SC1: TCAS must always provide necessary RA to prevent imminent NMAC (<25 sec to collision)

STPA Primer

• Written for industry to provide guidance in learning STPA

– Not a book or academic paper

– “living” document

– Google “STPA Primer”


Group Exercise: JAXA H-II Transfer Vehicle (HTV)

Date post:	02-Jan-2017
Category:	Documents
Upload:	phamtuong
View:	227 times
Download:	3 times

Systems Theoretic Process Analysis (STPA)

Documents